Adversaries may leverage integration between Microsoft Purview and cloud app events to exfiltrate data or monitor user activity undetected. SOC teams should proactively hunt for this behavior to identify potential data theft or insider threats in their Azure Sentinel environment.
KQL Query
SecurityAlert
| where TimeGenerated >= ago(30d)
| extend EntitiesDynamicArray = parse_json(Entities)
| mv-expand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),
EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
| where Entitytype =~ "file" and EntityName != ""
| join kind=inner(CloudAppEvents
| extend ActivityObjectsDynamicArray = parse_json(ActivityObjects)
| mv-expand ActivityObjectsDynamicArray
| extend Entitytype = tostring(parse_json(ActivityObjectsDynamicArray).Type), EntityName = tostring(RawEventData.SourceFileName),
EntityUPNSuffix = tostring(parse_json(ActivityObjectsDynamicArray).UPNSuffix)
| where Entitytype =~ "file") on $left.EntityName == $right.EntityName
id: a1adce9c-5945-4a20-984e-d95b6071a791
name: Integrate Purview with Cloud App Events
description: |
"This query searches for any files in Cloud App Events that have trigger a security alert."
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
tactics:
- Collection
relevantTechniques:
- T1074
query: |
SecurityAlert
| where TimeGenerated >= ago(30d)
| extend EntitiesDynamicArray = parse_json(Entities)
| mv-expand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),
EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
| where Entitytype =~ "file" and EntityName != ""
| join kind=inner(CloudAppEvents
| extend ActivityObjectsDynamicArray = parse_json(ActivityObjects)
| mv-expand ActivityObjectsDynamicArray
| extend Entitytype = tostring(parse_json(ActivityObjectsDynamicArray).Type), EntityName = tostring(RawEventData.SourceFileName),
EntityUPNSuffix = tostring(parse_json(ActivityObjectsDynamicArray).UPNSuffix)
| where Entitytype =~ "file") on $left.EntityName == $right.EntityName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: EntityName
- identifier: UPNSuffix
columnName: EntityUPNSuffix
- identifier: FullName
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 1.0.0
kind: Scheduled| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
SecurityAlert | Ensure this data connector is enabled |
Scenario: A system administrator is manually syncing user data between Azure Active Directory and Microsoft Purview using the Azure AD Connect tool.
Filter/Exclusion: Exclude events related to Azure AD Connect or Microsoft Identity Manager (MIIS) synchronization tasks.
Scenario: A scheduled job runs to export compliance reports from Microsoft Purview to a shared storage location (e.g., Azure Blob Storage) for audit purposes.
Filter/Exclusion: Exclude events where the source is Purview Export Job or Purview Compliance Report Export.
Scenario: A DevOps team is deploying a new cloud application using Azure DevOps pipelines, which triggers a series of cloud app events in Purview as part of the deployment process.
Filter/Exclusion: Exclude events originating from Azure DevOps or CI/CD pipeline activities.
Scenario: An IT support technician is troubleshooting a user access issue and manually checks the Purview access logs via the Microsoft 365 admin center.
Filter/Exclusion: Exclude events related to Microsoft 365 Admin Center or Purview Access Log Review activities.
Scenario: A cloud security team is performing a routine compliance check using Microsoft Purview and exports the data to a SIEM system for analysis.
Filter/Exclusion: Exclude events where the source is Purview Compliance Export or SIEM Data Sync Job.